One of every five people (20.5%) in Ireland are children under the age of 14. This constitutes the highest proportion of children in the EU, where the average was 15.2% in 2019. Ireland’s proportion of young people under the age of 30 is also the highest in the EU, at 39%. It’s an influential figure for Irish policy makers and regulators, who have strengthened their approach to protection of children’s personal data in recent years. This greater emphasis on children’s rights is due to a number of additional intersecting dynamics including EU law, child abuse scandals, a rise in cyberbullying, and a growing consensus that children face heightened digital risks. These dynamics have also informed the planned establishment of an Online Safety Commissioner, currently advancing as part of the Online Safety and Media Regulation Bill just published and currently receiving strong media attention.
Together with the Irish DPC role as lead regulator for many leading technology and social media companies, these legal and cultural headwinds provide the context within which the DPC aims to develop strong child data protection standards.
Introduction
Following extensive public consultation, with experts as well as school children, the DPC has issued comprehensive guidance on the processing of children’s data. Entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing,” the guidance sets out 14 principles (referred to as “the Fundamentals”) for organizations engaged in processing the personal data of children.
In addition to the usual GDPR expectations, the specific Fundamentals also include:
- Zero interference with a child’s best interests, where organizations rely on legitimate interests as their legal basis for processing;
- “Know your customer” requirements focusing on child-oriented transparency; and
- Specific guidance around age verification and consent
The overall aim of the Fundamentals, in protecting the best interests of children, is to at least set a default floor of high standardised protection for all data subjects where children may form part of a mixed user audience.
A Pyramid of Protection
A pyramid of protection for children’s rights informs the Fundamentals. The Irish Constitution, the dynamic foundation of Irish law, guarantees to protect and vindicate the ‘natural and imprescriptible rights of all children’. In addition Ireland ratified the UN Convention on the Rights of the Child and the assigned UN Committee published a general comment in 2021 explicitly stating that children’s rights under the Convention apply to the digital environment. The case law of the ECJ and the European Court of Human Rights fleshed out those rights in specific detail prior to the birth of the GDPR. The DPC places the guidelines within that prism of law and so reflects and relies on these broader legal protections for children to frame its Fundamentals.
The Fundamentals
Consistent with the GDPR, the Fundamentals confirm that children have the same rights as adults over their personal data. Their data does not belong to any other interested party, such as their parents or guardians. Children are given the same rights as adults to transparent processing, access, rectification, erasure, portability, restriction, objection, and freedom from automated decision making.
However, this is easier said than done. Determining the optimal way to balance children’s rights and the commercial mission of companies can be tricky given varying cultural norms and ever evolving digital dynamics. While veering towards prescriptive at times, the Fundamentals aim to guide and will be persuasive in legal fora, particularly given the DPC’s role as lead regulatory authority for many of the major on line platforms.
Legal Bases
The Fundamentals provide details on how the GDPR’s legal bases should be applied to the processing of children’s data, guiding the following observations:
- All legal basis for processing are equal to each other under the GDPR. Consent does not therefore assume a higher ranking.
- Where relying on consent, however, organizations should ensure that children are given real choice over how their personal data is used and are capable of giving informed consent.
- As with employment, the guidance states that data controllers must take account of any imbalance of power inherent in the relationship with the user-child and must consider whether such consent can truly be deemed to be “freely given.” A capacity assessment may be necessary to assess this, which would likely require additional resourcing and expert teams, as an inevitable consequence of the decision to provide services to children using consent as a legal basis. In practice, this will make it more difficult to rely on consent as the legal basis for processing children’s data.
- Reliance on contractual necessity will also prove difficult, given what the guidance refers to as the “complexities, nuances and antiquated nature of elements of this area of Irish contract law.” Under Irish contract law, minors under the age of 18 have limited legal capacity beyond contracts for necessities.
- Using compliance with a legal obligation as the legal basis for child data processing, requires identification of the specific legal obligation being relied on, why it is necessary to rely on it for processing a child’s data but without it being a barrier to safeguarding and protecting the best interests of the child.
- While the vital interests of the child may form the legal basis for processing, child protection measures should take precedence over data protection considerations. The guidance states, in relation to this basis of processing, that ‘the GDPR and data protection in general, should not be used as an excuse, blocker or obstacle to sharing information where doing so is necessary to protect the vital interests of a child or children.’
- Likewise, for reliance on the performance of an official or public task as a legal basis, the DPC guidance should be complied with, “save where the public interest and/or the best interests of the child require otherwise and the organization can demonstrate why/how this is the case.”
- But using legitimate interests as the legal basis to process children’s information will be is particularly difficult under the Fundamentals. Under the GDPR a balancing exercise between the necessity of an organizations legitimate interests and the rights of data subjects is required if the organization seeks to rely on that as the legal basis for such processing. However, using the legitimate interest basis for processing children’s data, while not impossible, is actively discouraged in Fundamental 3 with a zero tolerance approach to encroachment on a child’s best interests. While this approach was not popular with the technology sector during the public consultation, the DPC guides that ‘the child’s interests or fundamental rights should always take precedence over the rights and interests of an organization which is processing children’s personal data for commercial purposes.” Also, the DPC guides that “in circumstances where there is any level of interference with the best interests of the child, this legal basis will not be available for the processing of children’s personal data.”
Further Processing Concerns
Beyond the legal bases above, the Fundamentals provide further guidance on a wider array of child data processing issues, guiding the following observations:
- Age is addressed in two respects – the age of digital consent and age verification. The digital age of consent in Ireland is currently 16, though it is subject to review this year. Where an offering to any child under that age is based on consent, it must be via parental/guardian consent. Fundamental 2’s “Clear-cut Consent” states that it is “of critical importance” that this requirement does not operate to prevent a child accessing a service. Nor should such consent from children or their parents be used as a way to treat children of all ages as if they were adults.
- Organizations are expected to make “reasonable efforts” to verify parental consent where given on behalf of a child under the age of 16. While leaving it up to the companies to decide how best to achieve this, the DPC guides a higher burden of verification for technology and internet companies given the “scale, specialities and resources” available to them and the higher risks to their child users. All methods of parental verification are expected to be proportionate, risk based and “not overly intrusive” The DPC refers to methods endorsed by the equivalent regulators in other jurisdictions which could act as a blueprint, noting in particular 7 specific U.S. FTC methods (see pages 42-43).
- “Your Platform, Your Responsibility” is Fundamental 9. Under it, the DPC expects those selling goods and services through digital and online technologies to go the “extra mile” in their age verification measures. The DPC “considers that a higher burden applies to such organizations in their efforts to both verify age . . . and verify that consent has been given by the parent/guardian of the child user.”
- Given its position on the use of legitimate interests as a legal basis for processing, it is not surprising that the DPC opines that profiling and targeted behavioural advertising “will generally not satisfy this principle of zero interference with the best interests of a child.” In essence, profiling and marketing to children is a no-go zone unless it is clearly in the best interests of the child. It is difficult to see how that might be the case in most commercial environments.
- While some marketing can be consented to by children, the DPC suggests that “in any case where an organisation is considering directing marketing activities towards children, it should be extremely cautious about doing so.” For those under 18, the best interests of the child “remain paramount.” Organizations who decide to directly market to children should, the Fundamentals guide, be able to demonstrate how this is in the child’s best interest, irrespective of commercial interests. The DPC also refers to the International Chamber of Commerce, Advertising and Marketing Communications Code’s promotion that a child’s personal data should not be used to target marketing towards other family members, without parental consent.
- The Fundamentals follow the EDPB’s position that children are entitled to information about the processing of their data, irrespective of the legal basis for processing. Clear and plain language is of particular importance to make such information understandable to the child.
- “Knowing your Audience,” “Information in Every Instance,” and “Child-oriented Transparency” are Fundamentals 4, 5, and 6. They require child-specific protective measures tailored to various age ranges of child users or, in the alternative, a baseline set of information which is clear and simple enough for all users, regardless of age, to access and understand.
- Organizations are asked to use clear, simple language in explaining data protection to children with non-textual measures such as cartoons, videos, images, icons or gamification recommended depending on user ages. Also recommended is the use of methods relevant to the service being offered, g. for a video sharing platform, a video may be the best way to communicate to child users. The Fundamentals recommend that information should be provided to children up front, should encourage them to be curious and cautious about their personal data, and encourage them to seek parental guidance.
- Further, the DPC guides that, if children have questions about the information they receive, they should be able to easily interact with the organization if unsure about the information they receive. Examples include instant chat, a dedicated email address, or a privacy dashboard. The DPC also guides that providing explanations to children on settings switched off or denied to children by default, and warning boxes with explanations where a child tries to deactivate such settings, should, as a protective measure, be built in to the service.
Impact Assessments
While recognizing that there may be some tension between a child’s right to data protection and rights to freedom of expression and association, the DPC states that there should be no need for a tradeoff between empowering and protecting the child in the digital environment. A child’s best interests should be the guiding principle and should be assessed and analyzed with expert assistance, as appropriate. The DPC expects organizations to document these assessments in Data Protection Impact Assessments (DPIAs) tailored to different types of processing having regard to ages and capacities, of users and their developmental needs. Completing and documenting “thorough and meaningful” DPIAs is a “key act of compliance” and will be a factor in the DPC’s assessment of an organizations overall GDPR compliance.
The DPC also suggests that organizations processing children’s data should consider doing a Child Rights Impact Assessment, using the UN Convention on the Rights of the Child to frame the assessment. This, according to the DPC, is “a powerful tool” for translating the best interests principle into practice.
Conclusion
The Fundamentals aim to fill in for the implementation gaps left by some lofty, but unspecific, GDPR provisions. They give a clarity that will undoubtedly be useful not just to the organizations to which they are directed, primarily those processing millions of child users’ data, but also to litigators and courts. However, they will inform the approach of the DPC in its regulatory remit so will have strong persuasive effect.
While acknowledging that these organizations have discretion on how they comply with aspects of the GDPR, the DPC notes such discretion “does not imply an excuse for inertia, inaction or rejection” of the guidance provided in the Fundamentals. “The best interests of the child must ground the actions of all data controllers, and there must be a floor of protection below which no user, and in particular no child user, drops.”
The Fundamentals are now in place, having taken effect immediately upon publication on the 17th December 2021.